A curious theme emerged at the RSA Conference this year (2026). The theme three and four years ago was zero trust and most vendors, including Netskope, advocated for the value of building zero trust principles into a security strategy. They do work: When the right people have the right access to the right resources at the right times for the right reasons, risk materially declines. This year, those lessons appeared to have been forgotten. The first signboard I saw when I walked out of the hotel was a teaser of what I would see on every other vendor booth, exhorting me to “Trust our AI” or “Trust our agents.” Are our memories truly so short?
A welcome antidote is a recent eBook from Anthropic: “Zero Trust for AI Agents.” It advocates for extending zero trust principles to agents and their interactions with resources and other agents. It suggests a useful way to evaluate security controls by asking a simple question: Does this make the attack impossible or just tedious? Common mitigations that add friction are no match for agentic adversaries who don’t get bored and can’t be worn down. Instead, useful mitigations add barriers that remove adversary capabilities rather than throttle them. The old advice not to be the easiest target (the slowest person running from a bear in the woods) is obsolete when persistent adversaries run 24/7/365 (even the fastest person can’t outrun or outlast the bear).
The eBook discusses five types of threats identified by OWASP and suggests several ways to build defenses into agents and AI applications using native security capabilities. While these accomplish the goal of erecting barriers rather than friction, they’re oriented toward companies with well-established DevSecOps practices. Most companies lack these, but still need to gain visibility across their AI landscape and put barrier-style controls in place. Plus, all companies need to add a policy and governance layer over AI usage and agent interactions. Let’s explore how Netskope and partners can help.
Every zero trust strategy begins with identity
Extending zero trust principles to agents requires that agents possess identities. Anthropic suggests digital certificates for identity verification and mutual TLS for authentication. Yet many agents that companies build or download might not be capable of holding certificates, plus mutual TLS prevents interception of agent traffic for policy enforcement. Through our partnership with Aembit, agents can be identified and authenticated with a wider variety of short-lived credentials that blend agent identity with that of the human invoker. Blended identity is crucial for creating policies that implement barrier-style controls. Developers shouldn’t create, store, or share access tokens across agents because attackers will find these easily.
It also constrains broad access
Once a good identity foundation is in place, a zero trust strategy describes the right access to the right resources. Netskope policies can reference the blended identity to answer the question: Is this specific user, using this specific agent, authorized to access this specific resource right now? Anthropic references OWASP’s notion of “least agency,” a form of least privilege applied to agents. Role- and context-based (attribute-based) access controls accomplish least agency. Policies in Netskope match agent identities to roles and express the allowed context for any access, such as time, location, sensitivity, risk score, application instance, and more. This is why inline inspection of agentic traffic is so important. Agents that attempt to access resources or perform actions outside the policy are simply blocked.
But wait, what’s even running here, and what’s it doing?
Let’s back up a bit. Zero trust strategies assume that companies know all their resources and systems and data, an unlikely assumption still these days, especially regarding AI. Inline inspection helps solve this riddle by:
- Identifying MCP servers and clients in use constantly and in real time, including attributes such as name, ID, URL, version, host, data source, and protocol.
- Applying risk scores to public MCP servers, to assess quickly and prioritize which AI tools, agents, or integrations pose the greatest security and compliance risks.
Visibility is more than discovery, though. Anthropic’s ebook offers a useful reminder: While access controls prevent unauthorized actions, ongoing visibility reveals what actually happened; furthermore, while visibility captures what agents do, monitoring determines whether those actions are normal or suspicious.
Become the department of know
By observing all AI traffic, Netskope helps companies understand the AI applications, SaaS applications with embedded AI, and MCP servers that process their data, plus user and MCP activity. Companies can:
- Detect unapproved personal and shadow AI usage in real time to eliminate blind spots.
- Prevent unauthorized integrations by identifying unmanaged MCP server traffic otherwise invisible to IT.
- Maintain an inventory of AI assets with risk scores, usage activity logs, threats encountered, and policy or guardrail violations.
- Automate AI tool evaluation with risk scoring of applications, including security posture, compliance status, and embedded AI features.
Agents will act in unexpected ways that could cause serious harm (the assume breach aspect of a zero trust strategy has never been more important). Every AI-using company (that’s every company now) must:
- Detect and monitor traffic between and across MCP servers, clients, functions, hosts, data sources, and development tools.
- Log MCP events, including sessions, initializations, function requests and responses, and deployments.
As has been possible for human users, Netskope can now establish baseline behavior of non-human agents and then detect anomalies or other indications that reveal compromise or malfunction. Knowing what’s normal informs the baseline risk score that’s part of policies controlling agent behavior.
The right reasons
A sometimes-overlooked aspect of a zero trust strategy is incorporating the reason why a person or agent is doing something or is allowed to. Gauging the intent of every agent must become a mandatory step in every zero trust strategy. This requires filtering input into agents because they can’t distinguish between legitimate instructions and malicious commands, and filtering output from agents because they can’t detect harm or being tricked.
Guardrails provide a runtime defense layer for AI environments. By analyzing traffic in real-time, guardrails mitigate prompt injection attacks, jailbreaking, and other attempts to override system rules or exfiltrate data. They moderate content to protect company reputations and restrict the spread of intellectual property to reduce legal liability. In a way, guardrails protect LLMs from misuse and abuse, whether accidental or intentional.
Even companies with strong DevSecOps practices could still benefit from mechanisms that validate whether agents do what people expect. Edamame Technologies (our chief development officer and chief scientist are advisors) offers an AI detection and response platform that observes coding agents independently, from outside the agents themselves. It enforces posture-gated access when intent diverges from activity or attack patterns appear, such as when code starts touching credentials or sending unauthorized data.
The five rights of zero trust, revised
In the introduction I wrote my favorite way to conceptualize the purpose of a zero trust strategy. It’s time for a slight but necessary modification: ensuring the right people and agents have the right access to the right resources at the right times for the right reasons. It’s a journey we’re ready for, with you right now. Find out more here.
